[Bug tree-optimization/98513] New: [10/11 Regression] Wrong code with -O3 since r10-2804-gbf05a3bbb58b3558

["marxin at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98513

            Bug ID: 98513
           Summary: [10/11 Regression] Wrong code with -O3 since
                    r10-2804-gbf05a3bbb58b3558
           Product: gcc
           Version: 11.0
            Status: UNCONFIRMED
          Keywords: wrong-code
          Severity: normal
          Priority: P3
         Component: tree-optimization
          Assignee: unassigned at gcc dot gnu.org
          Reporter: marxin at gcc dot gnu.org
                CC: acoplan at gcc dot gnu.org, rguenth at gcc dot gnu.org
  Target Milestone: ---

It's reduced from a yarpgen test-case:

$ cat combined.cc
extern unsigned long long var_20;
extern unsigned short arr_8[][26][1][1][11];
const int &max(int &a, const int &b) { return a > b ? a : b; }
int test___trans_tmp_1, var_5 = -1251116163, var_6 = -1745956746;
void test(int var_5, int var_6,
          signed char arr_1[][26][19]) {
  for (unsigned i_0 = 0; i_0 < 21; i_0 += 2)
    for (int i_2 = 0; i_2 < 8; i_2 += 82) {
      for (int i_3 = 0; i_3 < test___trans_tmp_1; i_3 += 70)
        for (short i_4 = 0; i_4 < 20; i_4 += 4)
          var_20 = max(var_5, 0);
      for (int i_5 = 0; i_5 < 19;
           i_5 += 20)
        for (int i_6 = var_6 + 1745956746; i_6 < var_5 + 1251116173; i_6 += 1)
          arr_8[3][2][i_2][i_5][i_6] = arr_1[3][2][i_2];
    }
}
unsigned long long var_20;
signed char arr_1[1][26][19];
unsigned short arr_8[22][26][1][1][11];
int main() { test(var_5, var_6, arr_1); }

$ g++-10 -O3 combined.cc -Wall -Wextra -Werror && timeout 2 valgrind ./a.out
==9389== Memcheck, a memory error detector
==9389== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==9389== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info
==9389== Command: ./a.out
==9389== 
==9389== Invalid write of size 2
==9389==    at 0x401250: test(int, int, signed char (*) [26][19]) (in
/home/marxin/Programming/yarpgen/objdir/S3105191294/a.out)
==9389==    by 0x401035: main (in
/home/marxin/Programming/yarpgen/objdir/S3105191294/a.out)
==9389==  Address 0xffffffff00404740 is not stack'd, malloc'd or (recently)
free'd
==9389== 
==9389== 
==9389== Process terminating with default action of signal 11 (SIGSEGV):
dumping core
==9389==  Access not within mapped region at address 0xFFFFFFFF00404740
==9389==    at 0x401250: test(int, int, signed char (*) [26][19]) (in
/home/marxin/Programming/yarpgen/objdir/S3105191294/a.out)
==9389==    by 0x401035: main (in
/home/marxin/Programming/yarpgen/objdir/S3105191294/a.out)
==9389==  If you believe this happened as a result of a stack
==9389==  overflow in your program's main thread (unlikely but
==9389==  possible), you can try to increase the size of the
==9389==  main thread stack using the --main-stacksize= flag.
==9389==  The main thread stack size used in this run was 8388608.
==9389== 
==9389== HEAP SUMMARY:
==9389==     in use at exit: 0 bytes in 0 blocks
==9389==   total heap usage: 1 allocs, 1 frees, 72,704 bytes allocated
==9389== 
==9389== All heap blocks were freed -- no leaks are possible
==9389== 
==9389== For lists of detected and suppressed errors, rerun with: -s
==9389== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
timeout: the monitored command dumped core
Segmentation fault

It should not contain any undefined behavior, verified with:

$ clang++ combined.cc -Wall -Wextra -Werror && timeout 1 ./a.out && g++
combined.cc -Wall -Wextra -Werror && timeout 1 ./a.out && g++-10
-fsanitize=address,undefined -fno-sanitize-recover=all combined.cc && timeout 2
./a.out